Identity and access management

Identity and access management (IAM) can be defined as the management of an individual's identity, their authentication, authorisation for accessing resources and their privileges. It helps to implement good governance. The goal of IAM is to ensure that all resources are accessed in a secure manner and that users can gain access to the resources that they need, when they need them, to keep them productive.

IAM involves account management and self-service, federated access control and single sign-on (SSO), application and service provisioning and de-provisioning, and strong authentication. With these capabilities, IAM technologies control which users have access to what resources according to attributes such as their role in the organisation and the privileges that have been granted to them. The processes that are involved include the creation, management and deletion of users' digital identities, authorisation for access control, including the use of strong authentication, and reporting and audit functions for security and compliance purposes.

There have been a number of interesting developments in this market sector recently, which are outlined in the Vendor Landscape section.

All organisations handle sensitive data, from financial information to intellectual property, including personally identifiable information regarding employees, customers and business partners. That information needs to be secured against inappropriate access that could compromise the integrity or security of the data. IAM technologies are core tools for managing security risks associated with data compromise, as well as for ensuring compliance with industry standards and regulations that demand strong security controls are applied to sensitive data and that it is protected against unauthorised or inappropriate access.

IAM technologies provide key security controls for organisations of any size, in any vertical business. When they first emerged, it was primarily large organisations that deployed such technologies and they mostly used them for controlling access to applications and services deployed on internal networks. However, their evolution has made them suited for even small organisations, as well as for organisations wishing to control access to external applications and services, and for external constituents such as partners and customers. Whilst the IT decision makers will inevitably be involved in any systems purchase, all lines of business across an organisation should be involved.

When IAM technologies began to emerge, they were generally software suites implemented in-house by organisations in order to automate many of the tasks and processes involved in managing user identities and access rights - a process that did not scale using manual methods and spreadsheets. Such software suites were generally costly and complex to deploy, especially across large organisations, and were generally restricted to controlling access to enterprise applications running in-house.

Today, many of the applications used by organisations are provided by external parties and are accessed remotely, either provided as web-based applications or provisioned in the cloud, often provided on a subscription basis. Each application and service generally requires a distinct user name and password combination for access, along with other specific requirements such as password expiration cycles, creating password management challenges for organisations and individual users alike.

IAM systems are evolving to handle the challenges of access and authentication to online services, offering federated single sign-on for all applications a user needs to access, automated provisioning and deprovisioning of access rights, strong authentication and self-service tools for aiding productivity. Such systems cater to the needs of organisations that are increasingly providing mobile device users, including those owned by the users themselves, with access to online applications and services. Newer developments include the provision of a hybrid model, whereby an identity bridge connects online application access to backend corporate directories, IAM technologies and other systems of record, providing access to enterprise applications for remote users, as well as potentially to partners and customers.

The vendor landscape for IAM technologies is a mix of specialists and large security companies, many of which cut their teeth with the development of enterprise IAM suites for on-premise deployment. The landscape has changed considerably over the past three years, prior to which there were just a handful of specialists offering online IAM services. Today, there are a wide range of specialist IAM vendors represented in the market. The larger vendors that developed enterprise-scale IAM systems have recently been expanding their offerings to offer both online IAM services and, in some cases, to support hybrid deployments. Some of those capabilities have been acquired from specialists or through partnerships.

The dynamism of this market sector can be seen with regard to several recent developments that attest to its viability. Several of the independent vendors have received additional funding recently in order to expand their offerings and/or expand into new geographical markets. In early 2012, UnboundID received $12.5 million in Series B funding and in December of that year Okta received an additional $25 million. This has continued in 2013, with ForgeRock being awarded $15 million in April and, most recently, Ping Identity received $44 million in Series F funding. It has announced that it is considering an IPO in 2014.

There have also been a couple of recent acquisitions. In November 2012, Axway acquired Vordel and in July 2013 RSA Security acquired Aveksa, which Bloor Research considers to be a highly innovative performer. The terms of neither acquisition have been publicly disclosed.